Invited Talks

Keynote 1

Lightweight Authenticated Encryption

Speaker: Florian Mendel


Driven by a demand for cryptographic protection in resource-constrained embedded devices, lightweight cryptography has been actively studied in the last decades. While block ciphers and hash functions have received a great deal of attention from the cryptographic community resulting in plenty of new designs, authenticated encryption schemes have been arguably less popular among researchers for a long time. At the same time, message secrecy – as provided by plain encryption – is often of limited value in practice if not accompanied by message authentication showing the need for dedicated authenticated encryption schemes in the field. This is also reflected by the NIST’s standardization efforts that resulted in plenty of new proposals for lightweight authenticated encryption schemes tailored for resource-constrained devices in the last few years, usually optimizing the area and power consumptions of the primitive in hardware and/or software.

Resource-constrained devices are often used in environments in which side-channel attacks need to be considered and countermeasures against the attacks need to be implemented with limited resources, which is a challenging task. Today, there exist essentially two different approaches to counteract side-channel attacks. The first approach works by hardening the implementation of cryptographic algorithms with techniques like hiding or masking. The drawback of this approach is that the overhead for securing a cryptographic primitive against side-channel attacks might be very high and depends on the cryptographic primitive itself. Therefore, in the past several ciphers have been proposed to reduce this cost. For example, several of the authenticated encryption schemes submitted to the NIST standardization process have been designed with this goal in mind. The second approach to counteract side-channel attacks is to design the cryptographic protocols or scheme in such a way that certain types of side-channel attacks cannot be performed on the underlying cryptographic primitive and this way significantly reducing the cost for implementing additional countermeasures. An example of such an approach is leakage-resilient cryptography and fresh re-keying that has recently adapted for authenticated encryption and resulted in a number of new schemes.

In this talk, we will review both approaches and discuss their advantages for particular use cases by means of two example Ascon and ISAP. First, we will discuss Ascon that has recently selected by NIST for standardization for lightweight cryptography. We show that the simple design of Ascon allows quite efficient implementations of countermeasures against side-channel attacks in both software and hardware. This makes Ascon, in general, an excellent choice for applications that need some side-channel protection.

Then we will discuss ISAP an authenticated encryption scheme based on the Ascon permutation that incorporates ideas from leakage-resilient cryptography to address several classes of side-channel attacks already on mode-level. This allows very efficient implementations of the scheme with low overhead in scenarios where side-channel robustness is needed, albeit at the cost of a higher runtime compared to dedicated schemes in scenarios where this might not be needed. Therefore, ISAP is best suited for applications where performance is not critical (e.g. firmware updates), but robustness against side-channel attacks is needed, and code size and area matters.

This is joint work with: Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Bart Mennink, Robert Primas, Martin Schläffer, and Thomas Unterluggauer.

Short Bio

Florian Mendel is a cryptographer and security architect at Infineon Technologies. He has a PhD degree in Computer Engineering and worked for many years in research before joining Infineon Technologies in 2017. Florian is well-known for his contributions in symmetric cryptography. Among others he is a co-designer of the hash function Grøstl, a NIST SHA-3 finalists, and the lightweight authenticated encryption algorithms Ascon that was recently selected by NIST as new standard for lightweight cryptography.

Keynote 2

Recent Developments on Threshold Implementations: Practical Aspects of Theoretical Models

Speaker: Siemen Dhooghe


Ever since 1999, we have been using masking methods to counter side-channel attacks. These masking techniques have significantly developed over the course of twenty years. More specifically, the way we argue about their security has improved. From including leakage effects such as glitches and transition effects to allowing for higher-order security and trivial composability. Security models have played a central role in how we design masking methods.

In this presentation, we go over the timeline of these improvements and highlight some interesting turnarounds. We then present some security models which are used in academia now, namely the probing model and the random probing model, and we present their functionality and their challenges. We also present two newer models which include a bounded query model and a computational model.

The goal is to make people aware of some interesting problems in the field which could be tackled with the tools that we currently have. We highlight the difference between problems interesting to the theoretical community and problems interesting to the practical community with the attempt to bridge the gap between the two. The end goal: efficient countermeasures which have extensive provable security.

Short Bio

Siemen Dhooghe is currently a postdoc at COSIC in the KU Leuven university. His research focuses on the design of side-channel and fault countermeasures in hardware and software with the goal to have practical secure and efficient solutions. More specifically, his research focuses on masking and encoding techniques with the goal to have a clear understanding of their security such that costs can be minimized. For example, Siemen has focused on extending the understanding of higher order threshold implementations with the result of providing second order secure maskings without the need of fresh randomness. Siemen has published articles in conferences such as CHES, CARDIS, CCS, Asiacrypt, and CT-RSA.

Industrial Session

Presentation 1 (Secure-IC)

PQC-Ready Securyzr: A Full-Fledged Integrated Secure Element Complying with PQC Requirements in Terms of Firmware Management and Cryptographic Services

Speaker: Wei Cheng


Post-quantum cryptography (PQC) is the future. However, the adoption and transition to PQC do not end with the selection and standardization of PQC algorithms. Secure integration with existing systems is also mandatory and it is the key to ready-to-use applications and systems.

In this presentation, I unveil Secure-IC PQC-ready Securyzr integrated Secure Element (iSE). I show that PQC adoption and migration are made easy when already integrated and thus ready to use out-of-the-box in an iSE (integrated Secure Element, a.k.a security subsystem or security enclave). I also detail the performances, including the fact that PQC algorithms can bring additional values, such as being faster than the pre-quantum NSA suite B algorithms (such as ECDH, ECDSA). Eventually, I insist on the fact that PQC-ready Securyzr already provides compliance with Common Criteria (CC) requirements, in terms of side-channel analysis protection, FIPS 140-3 in terms of key management, and EN ETSI 303 645 & NIST SP 800-193 with FW update capability.

Short Bio

Wei Cheng is a Post-doc R&D Researcher and OSCCA Expert in cyber-security certification team at Secure-IC S.A.S., and also an Associate Researcher (Invited) at Télécom Paris. He obtained his Ph.D. degree in Information and Communications in 2021 from Télécom Paris, Institut Polytechnique de Paris, France. Before this, he received the B.S. degree from Wuhan University, China, and the M.E. degree from the IIE, Chinese Academy of Sciences, China. He received the ICE Best PhD Thesis Prize from the Institut Polytechnique de Paris (2022). His research interests include information theory, side-channel analysis, and masking countermeasures (mainly on code-based masking, including inner product masking, direct sum masking, polynomial masking, and other variants) for embedded systems and secure cryptographic implementations. He also works on Machine (Deep) Learning-based analysis of Physical Unclonable Functions (PUFs).

Presentation 2 (eShard)

SOC: Spot the Odd Circuit

Speaker: Pierre-Yvan Liardet


Hardware attacks and IoT or mobile devices: a real threat? To what extent a complex SoC, with multiple cores, dedicated hardware cryptographic instructions, cache memories, pipelining, ..., can be a realistic target for a hardware attack? Are the operating frequency in gigahertz, or the technology, today in nanometers, real obstacles for fault injection and side-channel experts? In this talk, I will share our experiments on this topic with one objective: recover the secret key involved in the encryption or decryption of a single image taken with the camera of my phone.

Short Bio

Pierre-Yvan is the Chief Scientist at eShard, a company based in Pessac, France, where he coordinates the expertise projects of the IC Security activity. He is responsible for the R&D aspects and contributes to the development of tools for evaluating resistance to hardware attacks leveraging side-channels or perturbations. Before joining eShard, Pierre-Yvan spent 22 years at STMicroelectronics (STM), where he worked in the Secure Micro Division as a Cryptologist Expert. His contributions included specification, development, and validation of security for STM Secure ICs. His work mainly focused on the security of SoCs (System on Chip) and Cryptography applied to embedded systems.

Pierre-Yvan has a PhD in Computer Science and Microelectronics from the University of Montpelier (LIRM). In his thesis, he proposed innovative approaches to handle Side-Channel attacks at the hardware, mathematical, and algorithmic levels. He founded and directed the Cryptography and Security Laboratory (CSLab) within STMicroelectronics for almost 15 years.

In 2016, he was nominated by the European Patent Office, along with his teams, for their numerous contributions in the Industry category for the Inventor of the Year 2016 Award. During 2018 and 2019, involved in activities of the CooLab of STMicroelectronics, he supported business projects that resulted in the establishment of a brainstorming structure for innovation.

In the past, Pierre-Yvan spent four years in SOLAC Smartcard Industries and Schlumberger Card and System as a Cryptologist, where he developed cryptographic libraries for smartcard products.

Presentation 3 (Riscure)

Riscure Vision on Post Quantum Cryptography

Speaker: Marc Witteman


PQC is becoming a reality, now that NIST has approved the first candidate algorithms. At Riscure we have followed this technology, and we are ready to help our customers to master the security of this complex topic. With the long security testing experience in our evaluation lab, we know which threats are prevalent and how weaknesses can be recognized. PQC products will in many cases use a mix of hardware and software features for optimal performance and flexibility. Our security test tooling is designed to facilitate the detection of exploitable vulnerabilities, both in complete products, as well as in chip designs. With our patented pre-silicon root cause analysis method we make it easy for customers to recognize the source of problems and experimentally find the best solutions. The presentation is primarily intended for product developers who are puzzled by the complexity and variety of side channel and fault injection threats, and seek guidance on how to get security assurance for their product.

Short Bio

Marc Witteman has a long track record in the security industry. He has a MSc. degree in Electrical Engineering and worked for many years in research. Marc has been involved with a variety of security projects for over three decades and worked in the area of device security on both hardware and software topics.

In 2001, he founded Riscure, and in two decades, he developed the company through strong organic growth into a world-renowned security lab and security test tool vendor. In addition to the headquarters in Delft, the Netherlands, he opened offices in San Francisco and Shanghai, while building a unique culture and fostering a passion for security in the team.

As a technical entrepreneur, Marc holds both the CEO and CTO role at Riscure.